Blocking IP from Amsterdam (95.211.194.79)

[sully213]

Last month (2013-Aug-06) we first encountered an alert from our Trend Worry-Free Business Security server of a URL that was being blocked by the Web Reputation rules (95.211.194.79). Trend is blocking this IP, so there must be some knowledge of what lies on the other side, but I have been unable to find any documentation on what is causing these connections at the rate of several per minute (leading to the Web Reputation limit striking the alert of >200 hour). This morning (2013-Sep-06) the URL Filtering alarm went off again. Checking the logs showed me the same computer that was infected (and thought to have been cleaned) from the August alarm as well as an additional infection coming from someone else. Googling this IP has led me to several other forums that describe the same kind of infection to this IP that traces back to an IP owned by LeaseWeb in Amsterdam, Netherlands but no one seems to have found a root source of these connections.

 

Here's what I've found so far....

 

When the initial infection occurred I did full offline system scans with multiple anti-malware programs, including Trend, MBAM, Kaspersky, ClamWin, and Windows Defender. All found and removed different things and after returning the system to live running Windows status the alarms did not return until this morning. Now that they've returned and I've searched elsewhere I think I can assume that this is not a well-known piece of malware at this point. Which leads me to wonder if Trend (and apparently MBAM pro) are blocking access to this particular IP, but are there others that this malware is attempting to use that are NOT being blocked that are allowing malicious payloads to be deposited (and re-deposited) on these systems? I should also note that the second computer showing up in the URL blocking this morning showed activity a few days ago and I again ran all of the above scans, but this time came back with nothing found.

 

The two attachments to this post are a combined log from the URL filtering events and some data I captured from Fiddler2 about those URLs. As you can see from the Trend logs, the IP address is always the same (95.211.194.79) and then followed by a /d/{8 random alphanumeric}/{32 random alphanumeric}/AA/{single digit 0-9}. Analyzing the 452 samples I have in the log, there are only 3 unique 8-length alphanumeric strings, but 126 unique 32 length alphanumeric strings. Combined, there are 382 unique URLs out of the 452 samples.

 

Moving on to the Fiddler2 logs, I obviously wasn't going to test all 382 unique URL's so you will only see the first 10 out of the Trend logs. However, you can still start to see a pattern emerge with just those 10 samples. The initial (blocked) URL redirects you to 46.229.165.122, which in turn redirects you to 46.229.165.121, which in turn redirects you to another page. Nine out of the 10 URL's in the Fiddler log finish at ads.featurelink.com with the 10th (3rd on in the log) having one more redirect to c.tdsgo.com which then dumps you at acuerdos.info. 

 

So.....what can I do to find this, clean it, and prevent it from getting back into our systems so I can sleep a bit easier and not worry about (this threat) potentially stealing our data/passwords or some other nefarious activity it may be doing?

1_Full (Fiddler log).txt

DesktopServerWRS.csv.txt

[sully213]

I forgot to mention that if you look at the Fiddler logs, the entries that end at ads.featurelink.com appear to contain some obfuscated javascript code. Who knows what that's trying to accomplish....

[AdvancedSetup]

Hello and

If you've not already done so please start here and post back the 2 log files DDS.txt and Attach.txt

P2P/Piracy Warning:
 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
• Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
• Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
• The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
• You can check here if you're not sure if your computer is 32-bit or 64-bit
• Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
• When we are done, I'll give you instructions on how to cleanup all the tools and logs
• Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
• Your topic will be closed if you haven't replied within 3 days
• (If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1
Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.
• Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• RogueKiller 32-bit | RogueKiller 64-bit
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes Close the program > Don't Fix anything!
• Don't run any other options, they're not all bad!!
• Post back the report which should be located on your desktop.

 

 

[sully213]

Here are the first logs as requested, gathering the other info now:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 8.0.6001.18702

Run by sullivas at 11:18:53 on 2013-09-17

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3292.2511 [GMT -4:00]

.

AV: Trend Micro Security Agent *Enabled/Updated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Olympus\DeviceDetector\DM1Service.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe

C:\Program Files\Purgos 3.0\PurgosAgent.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\snmptrap.exe

C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\UltraVNC\WinVNC.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\DYMO\DYMO Label Software\DLSService.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe

C:\WINDOWS\system32\rdpclip.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

.

============== Pseudo HJT Report ===============

.

uWindow Title = Windows Internet Explorer provided by Lancaster City Bureau of Police

uSearch Page =  http://www.bing.com

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\client server security agent\TmIEPlg.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [picon] "c:\program files\common files\intel\privacy icon\PIconStartup.exe" -startup

mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"

mRun: [uSCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [DLSService] "c:\program files\dymo\dymo label software\DLSService.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Windows\System: ExcludeProfileDirs = Local Settings;Temporary Internet Files;History;Temp

mPolicies-Explorer: NoDriveTypeAutoRun = dword:255

mPolicies-Explorer: NoAutorun = dword:1

mPolicies-System: dontdisplaylastusername = dword:1

mPolicies-Windows\System: AddAdminGroupToRUP = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

Trusted Zone: docstar

Trusted Zone: lpdprintnew

Trusted Zone: docstar

Trusted Zone: lpdprintnew

TCP: NameServer = 10.17.8.21 10.17.8.22

TCP: Interfaces\{DFB5C8E0-1D2D-4EDF-9D59-B803C231C2FF} : DHCPNameServer = 10.17.8.21 10.17.8.22

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\TmIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages =  msv1_0 wvauth

.

============= SERVICES / DRIVERS ===============

.

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-3-17 24064]

R2 PurgosAgent;Purgos Remote Agent;c:\program files\purgos 3.0\PurgosAgent.exe [2009-9-30 1773568]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2013-8-19 62728]

R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXpflt.sys [2012-12-4 264504]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\TmPreflt.sys [2012-12-4 36664]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-3-17 2066968]

R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2012-5-30 1589704]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-3-17 166568]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2013-9-17 105176]

R3 TmProxy;Trend Micro Security Agent NT Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2012-8-8 689712]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]

S4 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe --> c:\temp\clt-inst\vpremote.exe [?]

.

=============== Created Last 30 ================

.

2013-09-17 13:52:00 105176 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2013-09-17 13:52:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)

2013-09-17 13:50:31 48728 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-09-10 16:14:21 -------- d-----w- c:\documents and settings\all users\application data\RICOH

2013-08-23 18:47:46 279040 ----a-w- c:\windows\system32\RICFAXJC32.DLL

2013-08-19 15:45:31 74600 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2013-08-19 15:45:31 62728 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

.

==================== Find3M  ====================

.

2013-07-18 19:57:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-07-18 19:57:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

============= FINISH: 11:20:02.15 ===============

 

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 3/21/2010 6:05:23 PM

System Uptime: 9/12/2013 10:42:59 AM (121 hours ago)

.

Motherboard: Dell Inc. |  | 0C27VV

Processor: Intel® Core2 Duo CPU     E8400  @ 3.00GHz | CPU | 1974/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 126.468 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

J: is NetworkDisk (NTFS) - 4657 GiB total, 1590.087 GiB free.

L: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.

P: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.

R: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.

S: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.

V: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.

Z: is NetworkDisk (NTFS) - 4657 GiB total, 1590.087 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

32 Bit HP BiDi Channel Components Installer

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.5.5

Adobe Shockwave Player 11.5

Archive Player

Backup CD Player

BDE

BioAPI Framework

CamStudio

Catalyst Control Center InstallProxy

CCleaner

Cody6

CutePDF Writer 2.8

DCP32MMWrapper

Dell Control Point

Dell ControlPoint Security Manager

Dell Embassy Trust Suite by Wave Systems

Dell Security Device Driver Pack

Divar XF 2.56 PC Software

Document Manager Lite

DYMO Label v.8

Easy Street Draw Internet ActiveX Control 2.1

EMBASSY Security Center

EMBASSY Security Setup

ESC Home Page Plugin

FileNet IDM Viewer 3.3

Gemalto

Geovision Codec

Google Earth

Google SketchUp 7

Google Toolbar for Internet Explorer

Google Update Helper

GPL Ghostscript 8.70

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB2779562)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB953955)

Hotfix for Windows XP (KB954434)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB958347)

Hotfix for Windows XP (KB959252)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB968764)

Hotfix for Windows XP (KB969084)

Hotfix for Windows XP (KB976098-v2)

ImageVault Playback

Intel® Graphics Media Accelerator Driver

Intel® Network Connections 14.8.43.0

Intel® Active Management Technology

Intel® Matrix Storage Manager

Intellex CD-Player

Internet Explorer

Java Auto Updater

Java 6 Update 24

K-Lite Codec Pack 3.1.5 Full

LAN-Fax Utilities

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2698023)

Microsoft .NET Framework 1.1 Security Update (KB2833941)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders  (English) 12

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Mocha W32 TN5250 -- software from MochaSoft

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP3 Parser (KB2721691)

MSXML 4.0 SP3 Parser (KB2758694)

MSXML 4.0 SP3 Parser (KB973685)

MSXML 6.0 Parser (KB927977)

NTRU TCG Software Stack

OGA Notifier 2.0.0048.0

Olympus DSS Player Pro

Paint.NET v3.5.4

PDFCreator

Playback 2.3.0.4

PowerDVD DX

Preboot Manager

Private Information Manager

Purgos 3.0 Agent

RMS

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE 10.3

Roxio Creator Tools

Roxio Express Labeler 3

Roxio Update Manager

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition 

Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition 

Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition 

Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition 

Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition 

Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition 

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition 

Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition 

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2699988)

Security Update for Windows Internet Explorer 8 (KB2722913)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2761465)

Security Update for Windows Internet Explorer 8 (KB2797052)

Security Update for Windows Internet Explorer 8 (KB2799329)

Security Update for Windows Internet Explorer 8 (KB2809289)

Security Update for Windows Internet Explorer 8 (KB2817183)

Security Update for Windows Internet Explorer 8 (KB2829530)

Security Update for Windows Internet Explorer 8 (KB2838727)

Security Update for Windows Internet Explorer 8 (KB2846071)

Security Update for Windows Internet Explorer 8 (KB2847204)

Security Update for Windows Media Player (KB2834904)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2685939)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2718523)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2778344)

Security Update for Windows XP (KB2779030)

Security Update for Windows XP (KB2780091)

Security Update for Windows XP (KB2799494)

Security Update for Windows XP (KB2802968)

Security Update for Windows XP (KB2807986)

Security Update for Windows XP (KB2808735)

Security Update for Windows XP (KB2813170)

Security Update for Windows XP (KB2813347)

Security Update for Windows XP (KB2820197)

Security Update for Windows XP (KB2820917)

Security Update for Windows XP (KB2829361)

Security Update for Windows XP (KB2834886)

Security Update for Windows XP (KB2839229)

Security Update for Windows XP (KB2845187)

Security Update for Windows XP (KB2850851)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB976325)

Security Wizards

SO32MMWrapper

ST Microelectronics TPM Driver Installer

Trend Micro Worry-Free Business Security Agent

Trusted Drive Manager

tsp patch

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Client Profile (KB2836939)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2836939)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596802) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817563) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows Internet Explorer 8 (KB2632503)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB2808679)

Update for Windows XP (KB951618-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

UPEK TouchChip Fingerprint Reader

USB Playback Console

User Profile Hive Cleanup Service

VLC media player 1.0.5

Wave Infrastructure Installer

Wave Support Software

WaveReader Ver 4-0

WebFldrs XP

Windows Driver Package - Dell Inc. PBADRV System  (09/11/2009 1.0.1.6)

Windows Driver Package - STMicroelectronics (stmtpm) System  (05/24/2007 1.00.04.15)

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format 11 runtime

Windows Media Player 11

Windows Presentation Foundation

XML Paper Specification Shared Components Pack 1.0

.

==== Event Viewer Messages From Past Week ========

.

9/17/2013 10:30:02 AM, error: TermServDevices [1111]  - Driver Foxit Reader PDF Printer Driver required for printer Foxit Reader PDF Printer is unknown. Contact the administrator to install the driver before you log in again.

9/12/2013 4:02:20 AM, error: Tcpip [4199]  - The system detected an address conflict for IP address 10.17.8.130 with the system having network hardware address 00:24:81:00:10:BE. Network operations on this system may be disrupted as a result.

9/11/2013 3:32:49 PM, error: Dhcp [1002]  - The IP address lease 10.17.8.99 for the Network Card with network address 002564C9A060 has been denied by the DHCP server 10.17.8.25 (The DHCP Server sent a DHCPNACK message).

9/11/2013 3:17:29 PM, error: Tcpip [4199]  - The system detected an address conflict for IP address 10.17.8.99 with the system having network hardware address 00:25:64:BD:E9:B4. Network operations on this system may be disrupted as a result.

9/10/2013 6:19:39 PM, error: Print [22]  - Failed to ugrade printer settings for printer \\lpdprint01\AdminCopier,LocalOnly driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\ricA2Mui.dll error 6.

.

==== End Of File ===========================

 

 

[sully213]

RogueKiller log:

 

RogueKiller V8.6.11 [sep 11 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

 

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : sullivas [Admin rights]

Mode : Scan -- Date : 09/17/2013 11:51:39

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [LOADED] ¤¤¤

[Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (Unknown @ 0x89CD1B74)

[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8AF923D4)

[Address] SSDT[47] : NtCreateProcess @ 0x805D1280 -> HOOKED (Unknown @ 0x8A3AEC0C)

[Address] SSDT[48] : NtCreateProcessEx @ 0x805D11CA -> HOOKED (Unknown @ 0x8A561864)

[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A3E3464)

[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8A2CF0FC)

[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8AF7F1BC)

[Address] SSDT[63] : NtDeleteKey @ 0x80624706 -> HOOKED (Unknown @ 0x8A5688D4)

[Address] SSDT[65] : NtDeleteValueKey @ 0x806248D6 -> HOOKED (Unknown @ 0x8A56B754)

[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x8A3E3424)

[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A2CF0BC)

[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x8A3C0844)

[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A38DFA4)

[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8A3CD84C)

[Address] SSDT[192] : NtRenameKey @ 0x80623C8C -> HOOKED (Unknown @ 0x8A568894)

[Address] SSDT[204] : NtRestoreKey @ 0x80625C4A -> HOOKED (Unknown @ 0x8A56B794)

[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8AF92394)

[Address] SSDT[247] : NtSetValueKey @ 0x806227DC -> HOOKED (Unknown @ 0x89CD1B34)

[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A3E49EC)

[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A56A9DC)

[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A38DF64)

[Address] Shadow SSDT[548] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x8A5910A4)

[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89A2F0EC)

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

127.0.0.1       lpdpatrol25 # LMS GENERATED LINE

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: WDC WD1600AAJS-75M0A0 +++++

--- User ---

[MBR] 8e16af64dad476dcef72b79d55a111e4

[bSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 86 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 176715 | Size: 152499 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_S_09172013_115139.txt >>

[AdvancedSetup]

Thanks,  nothing strange so far in the logs.

 

Please fully disable Trend while running the scans below so that it does not interfere with the results.

 

Your System Restore appears to be disabled.  Please enable it and create a new System Restore Point

 

Please uninstall ALL versions of Java as you have an old compromised version installed on the system.

 

 

Please go ahead and run through the following steps and post back the logs when ready.

STEP 03
Please download Malwarebytes Anti-Rootkit from here

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

STEP 04
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

STEP 05
Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

STEP 06


Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

 

[sully213]

I believe we may have found the culprit here. After much digging to find the source of the connections (via SysInternals TCPView), we found a file called wow.dll (residing in the users' Temp directories) hooked into explorer.exe. This led us to a Microsoft Malware Protection center article that identified the infection as Trojan:Win32/Alureon.GQ (http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%253aWin32%252fAlureon.GQ&ThreatID=-2147285902&navV3Index=5#tab=2)

 

We found some removal instructions and our logs/alerts have been quiet since yesterday afternoon when we removed the infection. It also appears you've encountered this one before (http://forums.malwarebytes.org/index.php?showtopic=128418). We were able to isolate and make a copy of the malware files. Is there anyway we can send a copy to you to help get a detection signature into MBAM?

[AdvancedSetup]

Yes, please zip and attach the file and I will submit it

 

You may want to proceed with the other instructions though to ensure other trace entries are removed as most of these type of infections also come with at least PUP (Possibly Unwanted Program) entries, but that's up to you.

 

Thank you

[sully213]

Well, I thought we had the files (plural) but it turns out we just have the ini file that the wow.dll file uses for it's connection settings. Sorry, not sure where the dll file got to.

 

Here it is anyway for what it's worth.

 

wow.zip

[AdvancedSetup]

Okay, thanks.  Let me know if you want to run the other scans or not and if not we'll go ahead and close up here.

 

Thanks again

[sully213]

No, I think we're OK at this point and you can lock things up. Thank you for the help.

[AdvancedSetup]

Okay then we'll close up, however if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
It will also reset your System Restore by flushing out previous restore points and create a new restore point.
It will also remove all the backups our tools may have created.

Uninstall ComboFix (if used):

• Turn off all active protection software including your antivirus.
• Push the "Windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• Please copy and past the following into the box ComboFix /Uninstall and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
  

Remove the rest of the tools used:

Please download

OTCleanIt

and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not go ahead and delete it by yourself.
• If asked to restart the computer, please do so
  

Note:

If you receive a warning from your firewall or other security programs regarding

OTCleanIt

attempting to contact the internet, please allow it to do so.

AdwCleaner Removal:

• Double click on AdwCleaner.exe to run the tool.
• Click on Uninstall
• Confirm with Yes
  

ESET antivirus Removal:

• This tool can be uninstalled via the Control Panel, Programs, Uninstall
  

If there are any other left over Folders, Files, Logs then you can delete them on your own.

Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

• How Malware Spreads - How did I get infected
• Best Practices for Safe Computing - Prevention of Malware Infection
• Avoiding those unwanted free applications
• A close look at how Oracle installs deceptive software with Java updates
• IAC / Ask.com toolbars
• Malwarebytes Unpacked Blog
  

 
If you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.
 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!